プラットフォーム
php
コンポーネント
5992b65cca5612c036f1d31d8d8f0646
修正版
1.0.1
CVE-2026-4973 describes a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Quiz System versions up to 1.0. This flaw resides within the /add-question.php file endpoint and allows attackers to inject malicious scripts by manipulating the quiz_question parameter. Successful exploitation could lead to session hijacking or defacement. A patch is expected, and temporary mitigation strategies are available.
An attacker can exploit this XSS vulnerability to inject arbitrary JavaScript code into the SourceCodester Online Quiz System. This code could be executed in the context of a user's browser when they access the affected page. The impact ranges from simple defacement of the quiz system to more severe consequences like stealing user session cookies, redirecting users to malicious websites, or even gaining control of the user's account. Given the quiz system's potential use in educational or assessment settings, this could compromise sensitive user data and system integrity. The public availability of the exploit increases the risk of immediate exploitation.
CVE-2026-4973 has been publicly disclosed and a proof-of-concept exploit is available, indicating a higher probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the availability of a PoC significantly increases the risk.
Organizations and individuals using SourceCodester Online Quiz System version 1.0, particularly those hosting the application on shared hosting environments or without robust security monitoring, are at increased risk. Educational institutions and businesses relying on the quiz system for assessments or training are also vulnerable.
• php / web:
curl -s -X POST "http://<target>/add-question.php?quiz_question=<script>alert('XSS')</script>" | grep "<script>alert('XSS')</script>"• generic web:
curl -I http://<target>/add-question.php?quiz_question=<script>alert('XSS')</script>• generic web: Examine access logs for requests to /add-question.php containing suspicious JavaScript code in the quiz_question parameter.
disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-4973 is to upgrade to a patched version of SourceCodester Online Quiz System as soon as it becomes available. Until then, several temporary measures can be implemented. First, implement strict input sanitization on the quizquestion parameter within the /add-question.php file. Second, configure a Web Application Firewall (WAF) to filter out potentially malicious JavaScript code. Third, review and harden the application's security configuration, ensuring proper output encoding and escaping. After applying mitigations, verify the fix by attempting to inject a simple JavaScript payload through the quizquestion parameter and confirming it is not executed.
Actualizar SourceCodester Online Quiz System a una versión posterior a la 1.0. Si no hay actualizaciones disponibles, se recomienda deshabilitar o eliminar el componente vulnerable. Como medida temporal, se puede implementar una validación y sanitización exhaustiva de la entrada 'quiz_question' en el archivo add-question.php para prevenir la inyección de código malicioso.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-4973 is a cross-site scripting (XSS) vulnerability in SourceCodester Online Quiz System versions up to 1.0, allowing attackers to inject malicious scripts via the /add-question.php endpoint.
If you are using SourceCodester Online Quiz System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade to a patched version of SourceCodester Online Quiz System. Until then, implement input sanitization and WAF rules.
A proof-of-concept exploit is publicly available, suggesting a high probability of active exploitation.
Refer to the SourceCodester website and security forums for updates and advisories regarding CVE-2026-4973.